This is a medium level box which involved bruteforcing the login pin then gaining a shell from the web page which is kinda unique.
Initially we will start nmap scan on the box
NMAP
Nmap scan report for 192.168.1.99
Host is up (0.00014s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 2f:90:c5:7c:a1:62:89:3a:ec:ea:c3:51:fa:77:f8:3f (RSA)
| 256 8e:21:71:85:04:3d:a7:db:1d:e6:6f:16:27:0c:0d:c9 (ECDSA)
|_ 256 e2:39:c7:eb:f2:6d:53:0f:fd:3c:2c:05:31:c9:5b:f2 (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:3B:F9:C5 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.55 seconds
From the scan we have only 2 ports ssh and http so we will enumerate http.
PORT 80
index.html page had nothing except for a good luck message it also had robots.txt which I manually checked and it showed a whoami.php but wasn’t in the current directory. So I ran gobuster and it returned as an “admin” directory
I wasn’t satisfied so I ran another directory fuzz with a different wordlist and also with a different tool called feroxbuster which is a really cool tool which can dig deeper and search for files recursively if it finds a directory.
Now I did find whoami.php but going directly to it resulted in nothing
It was the same for command.php
All of this Lead to nowhere so there was a login pin page so we could bruteforce the pin using hydra for that we need to make a wordlists of numbers with a length of 4.
Now here I am specifying minimum and maximum length of 4 and after that those numbers are what we are going to build our word list with also -t is telling what format it will use so % in hydra is number pattern.
Now hydra wants both username and password parameter but we can use only one parameter to brute force so it can be done like this
After this we find our pin and by going to whoami.php it tells us that we are logged in as melon.
Go back to /admin we can login as melon with the pin we have found
On visiting command.php we see there is a filed for entering our IP address and if we enter the address it will show us an error that numbers are accepted which means we have to covert our IP to decimal number
After converting IP to decimal number submit it and start wireshark to see what request is being made.
Here I searched for target IP which is 192.168.1.99 which was trying to connect to port 4444 of our IP so we know that we need to listen for port 4444 on our netcat.
After getting on the box I transfer linpeas from my machine to target for enumerating for any hidden files or SUID’s but found that we can run capability which is like SUID.
But this must be run as sudo so I searched the machine for any files that may give us the password for melon but couldn’t find it anywhere so I randomly guessed that his password must be the username and I was right !
Going to GTFOBINS I found the escalation from hping3 and we got root !!
